Basic syntax of iptables firewall

I. IPTABLES syntax entry: iptables is a package filtering management tool built on the netfilter architecture. you can use the/sbin/iptables command to manage iptables, which is the same as the route command, the effect of the iptables command is no longer valid after restart. You can use/etc/rc. d/init. d/iptablessave

I. Getting started with IPTABLES syntax:

IptablesIs a package filtering management tool based on the netfilter architecture.

You can use the/sbin/iptables command to manage iptables, which is the same as the route command. the effect of the iptables command is no longer valid after it is restarted.

You can use/etc/rc. d/init. d/iptables save: write the current iptables rule to the/etc/sysconfig/iptables file. d/init. the d/iptables start command will make the rules in/etc/sysconfig/iptables take effect.

Iptables can manipulate three tables: filter table, nat table, and mangle table. NAT and general mangle use the-t parameter to specify which table to operate. Filter is the default table. if The-t parameter is not set, the filter table is operated by default.

Rule rules: filter rules and port forwarding rules. for example, if any machine is prohibited from pinging our server, you can set a Rule on the server:

Bash> iptables-a input-s! 127.0.0.1-p icmp-j DROP

It is a rule starting with Cs. before-j, it is the condition of the rule, and-j is the behavior of the rule (purpose ). The entire command is interpreted as inserting a rule in the INPUT rule chain of the filter table. All icmp packets whose source address is not 127.0.0.1 are discarded.

Chain rule chain: It is composed of a series of rules, each of which passes through each rule in the Chain sequentially. Chain is further divided into system chain
And the user-created chain. The following describes the system chain.

System chain of the filter table: INPUT, FORWAD, OUTPUT
System chain of the nat table: PREROUTING, POSTROUTING, OUTPUT
System chain of the mangle table: PREROUTING, OUTPUT

Each system chain is checked at a specific position. For example, in packet filtering, if the destination address is a local package, it will enter the INPUT rule chain, and the package going out from the local will enter the OUTPUT rule chain.

All tables and chains are empty when they are started. The iptables setting method is to add corresponding rules to the appropriate table and system chain.

You can create a new chain. User chain can be used only for the purpose of a system chain. For example, if you create a rule chain named AAA and want the icmp packet to pass its test.

Bash> iptables-a input-p icmp-j AAA

The preceding command uses the user-created rule chain AAA as the rule "-p icmp" in the system chain (INPUT.

There is a default policy for each chain, that is, the default behavior for the package. It can be set to DROP or ACCEPT ). When the system starts, all default policies are ACCEPT. When a package passes all the chain rules (not meeting the conditions of all rules), the system processes the package according to the default policy.

Iptables command

Operations on tables

View: iptables-t table_name-L

Refresh:

1. clear all rules and user-created chain
Iptables-t table_name-F

2. clear all records (number of compliant packages)
Iptables-t table_name-Z

�� Chain-specific operations (-t table_name is omitted below)

View: iptables-L chain_name
Refresh: iptables-F chain_name
Clearing count: iptables-Z chain_name
Create a chain: iptables-N chain_name
Delete chain: iptables-X chain_name
Rename: iptables-E chain_old_name chain_new_name
Setting policy: iptables-P chain_name policy

Rule-based operations

Add A rule: iptables-A chain_name rule-spec

Insert a rule: iptables-I chain_name rule No. new_rule_spec (the inserted rule number is specified in the command
The existing rule number is postponed ).

Delete a rule: you can delete a rule by specifying a rule number or by specifying the rule content.
Rules. The rule number in each rule chain starts from 1.
Iptables-D chain_name rule number
Iptables-D chain_name rule content

Modify a rule: iptables-R chain_name rule No. new_rule_spec

----------------------------------------------------------------------------------

II. example of IPTABLES:

1. basic chain operations:

Clear the rules in all rule chains in the filter of the preset table:
Iptables-F

Clear the rules in the user-defined chain in the filter of the preset table:
Iptables-X

Clears the packet byte counters of all rules in the specified chain:
Iptables-Z

--------------------------------

2. set the default chain rules:

First, allow the rules of all packages:
Iptables-P INPUT ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT

First, disable the rules for all packages:
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP

--------------------------------

3. list rules in a table or chain:

List all rules in a table or chain
Iptables-L

If the display is slow, you can use
Iptables-L-n

--------------------------------

4. add rules to the chain:

For example:

Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Iptables-a input-I eth0-j ACCEPT
Iptables-a output-o eth0-j ACCEPT
Iptables-a forward-I eth0-j ACCEPT
Iptables-a forward-o eth0-j ACCEPT

Note: Because the local process does not pass through the FORWARD chain, the lo loop interface only works on the INPUT and OUTPUT chains.

--------------------------------

5. use user-defined links:

Iptables-N brus
Iptables-A brus-s 0/0-d 0/0-p icmp-j DROP
Iptables-a input-s 0/0-d 0/0-j brus

This example indicates:
The first sentence is a user-defined chain called brus;
The second sentence adds A custom blocking rule with the-A parameter;
The third statement adds a new rule to the default INPUT chain so that all packages are processed by the brus custom chain.

---------------------------------

6. set the default matching rules:

Match the specified protocol:
Iptables-a input-p tcp

Match all protocols other than the specified protocol:
Iptables-a input-p! Tcp

-------------
Specified address match:

Specified host
Iptables-a input-s 192.168.1.1

Specify the matched network
Iptables-a input-s 192.168.1.0/24

Specify an address other than the host
Iptables-a forward-s! 192.168.0.1

Specify a network other than the specified network
Iptables-a forward-s! 192.168.0.0/24

-----------------
Network interface match:

Specify a single network interface match
Iptables-a input-I eth0
Iptables-a forward-o eth0

Specify Network interfaces of the same type
Iptables-a forward-o eth +

-------------
Specified port match:

Specify single port match
Iptables-a input-p tcp -- sport www
Iptables-a input-p tcp -- sport 80
Iptables-a input-p udp -- sport 53
Iptables-a input-p udp -- dport 53

Match a port other than the specified port
Iptables-a input-p tcp -- sport! 22

Match the specified port range
Iptables-a input-p tcp -- sport 22: 80

Match ICMP port and ICMP type
Iptables-a input-p icmp -- icmp-type 8